A critical vulnerability in SajiloCV which allowed me to download 100K + users resume

Sankalpa Baral
4 min readJun 14, 2023

--

Introduction:

Greetings, everyone! I hope you’re all doing well. I am Sankalpa Baral from Nepal, and it has been quite a while since I last published a write-up. Today, I have decided to share a vulnerability that I discovered a few months ago, which allowed me to download anyone’s resume. Let’s dive into the details.

Background:

One day, while casually scrolling through Reddit and I came across this post, so the post was about a friendly chess game between Nepal’s #1 and #2 highest rated players. I opened the YouTube video and saw it was sponsored by SajiloCV at that time I had no idea about the platform so I conducted some research. I found numerous Nepali YouTubers who had made videos on SajiloCV as part of paid promotions.

Exploring:

Curious about SajiloCV, I visited their website and noticed the absence of a registration page. Instead, they provided the option to log in using OAuth. Thus, I proceeded to log in using OAuth. The site was all about creating our resume and downloading it. I noticed there was an option to change our personal information so I simply changed my info and captured the HTTP request with burp.

Request

Like you, I thought of trying to manipulate the request by changing the “id” parameter. I replaced the existing value of 91432 with a random number and forwarded the request. Unfortunately, my attempt was met with a disappointing 403 Forbidden error, indicating that the system did not allow unauthorized access to user information.

Response

Another thing I did was editing my resume, I changed something in my resume and captured the HTTP request and tried changing the id parameter but again I got 403 forbidden error.

At that time I thought the site was fully secured and wasn’t vulnerable to IDOR but ….. There was an option to download our resume (Now you know what’s going to happen) I clicked on the download button and captured the HTTP request

I replaced 91432 with a random number and forwarded the request and I was expecting 403 forbidden but I got 200 OK response, indicating that I was able to download other users’ resumes., Damn how did it happen?

Unexpected 200 OK

Steps to reproduce:

1 Go to https://app.sajilocv.com/user-profile/resume

2 Click on “Download resume” and capture the request with burp

3 Modify the number in the request and forward it

4 You will be able to download other’s resume

Reporting:

Now it’s time to report the issue. since they didn’t have a bug bounty program(they still don’t have). I sent an E-mail to them saying this

If you find a security issue in any website which doesn’t have a bounty program and you want to report the issue then I suggest you to do this instead of directly sharing the vulnerability with them.

After sometime I got an Email from then saying “We are interested in knowing about the issue” so after that I reported the vulnerability to them. They patched the vulnerability within 2 weeks and rewarded me for my discovery. (The feeling after getting a reward from a Nepali company)

🤑🤑

Tip:

Whenever you add, update, or remove data, always remember to check for IDOR vulnerabilities.

I have also uploaded a proof-of-concept video on my YouTube channel. Feel free to check it out link

Bye:

Thank you for reading <3 I hope you found this write-up informative and gained some valuable insights.

--

--

Sankalpa Baral
Sankalpa Baral

Written by Sankalpa Baral

As a young enthusiast from Nepal, I am fascinated by the world of web app pentesting and ethical hacking.

Responses (3)